[krbdev.mit.edu #6821] The +preauth default in kdc.conf isn't always obeyed.
The RT System itself via RT
rt-comment at krbdev.mit.edu
Wed Nov 17 09:09:49 EST 2010
>From krb5-bugs-incoming-bounces at PCH.mit.edu Wed Nov 17 09:09:48 2010
Return-Path: <krb5-bugs-incoming-bounces at PCH.mit.edu>
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
by krbdev.mit.edu (Postfix) with ESMTP id D5E193E618;
Wed, 17 Nov 2010 09:09:47 -0500 (EST)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id oAHE9lxc027722;
Wed, 17 Nov 2010 09:09:47 -0500
Received: from mailhub-dmz-1.mit.edu (MAILHUB-DMZ-1.MIT.EDU [18.9.21.41])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id oAHBaV26032567
for <krb5-bugs-incoming at PCH.mit.edu>; Wed, 17 Nov 2010 06:36:31 -0500
Received: from dmz-mailsec-scanner-7.mit.edu (DMZ-MAILSEC-SCANNER-7.MIT.EDU
[18.7.68.36])
by mailhub-dmz-1.mit.edu (8.13.8/8.9.2) with ESMTP id oAHBaKMl008029
for <krb5-bugs at mit.edu>; Wed, 17 Nov 2010 06:36:30 -0500
X-AuditID: 12074424-b7b0bae000000a05-a6-4ce3be3ea0d9
Received: from piquet.bath.ac.uk ( [138.38.0.36])
by dmz-mailsec-scanner-7.mit.edu (Symantec Brightmail Gateway) with
SMTP id 6A.43.02565.E3EB3EC4; Wed, 17 Nov 2010 06:36:30 -0500 (EST)
Received: from bahamontes.bath.ac.uk ([138.38.56.200])
by piquet.bath.ac.uk with esmtps (TLSv1:DHE-RSA-AES256-SHA:256)
(Exim 4) (envelope-from <ccsdhd at bahamontes.bath.ac.uk>)
id 1PIgJR-0005Ty-8D; Wed, 17 Nov 2010 11:36:29 +0000
Received: from ccsdhd by bahamontes.bath.ac.uk with local
(envelope-from <ccsdhd at bahamontes.bath.ac.uk>)
id 1PIgJQ-0004ix-Fp; Wed, 17 Nov 2010 11:36:28 +0000
Date: Wed, 17 Nov 2010 11:36:28 +0000
Message-Id: <E1PIgJQ-0004ix-Fp at bahamontes.bath.ac.uk>
To: krb5-bugs at mit.edu
Subject: krb5-admin : possible bug ?
From: Dennis Davis <D.H.Davis at bath.ac.uk>
X-send-pr-version: 3.99
X-Scanner: f5fc8eb8bae91379a9a301d816b7e170ccac546c
X-Brightmail-Tracker: AAAAAA==
X-Mailman-Approved-At: Wed, 17 Nov 2010 09:09:43 -0500
Cc: Dennis Davis <d.h.davis at bath.ac.uk>
X-BeenThere: krb5-bugs-incoming at mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: Dennis Davis <D.H.Davis at bath.ac.uk>
Sender: krb5-bugs-incoming-bounces at PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces at PCH.mit.edu
>Submitter-Id: net
>Originator: Dennis Davis
>Organization: BUCS, University of Bath, Bath, BA2 7AY, UK
>Confidential: no
>Synopsis: The +preauth default in kdc.conf isn't always obeyed.
>Severity: non-critical
>Priority: low
>Category: krb5-admin
>Class: sw-bug
>Release: 1.8.3
>Environment:
System: OpenBSD bahamontes.bath.ac.uk 4.8 GENERIC.MP#359 i386
>Description:
I'm running an experimental krb5-1.8.3 server and I've noticed that
I get different (and erroneous?) behaviour from krb5-1.7.1 and
krb5-1.6.3 kadmin clients. All of this is on various releases of
the OpenBSD operating system, although that shouldn't be relevant.
kdc.conf on my server looks like:
[kdcdefaults]
kdc_ports = 88
[realms]
BATH.AC.UK = {
database_name = /kerberosV/var/krb5kdc/principal
admin_keytab = /kerberosV/var/krb5kdc/kadm5.keytab
acl_file = /kerberosV/var/krb5kdc/kadm5.acl
dict_file = /kerberosV/var/krb5kdc/kadm5.dict
key_stash_file = /kerberosV/var/krb5kdc/.k5.BATH.AC.UK
kadmind_port = 749
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des-cbc-crc
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-cbc-sha1:normal rc4-hmac:normal des-cbc-crc:normal des-cbc-crc:v4
default_principal_flags = +postdateable,+forwardable,+tgt-based,+renewable,+proxiable,+dup-skey,+allow-tickets,+service,+preauth
}
This should be fairly standard, with the exception of the "+preauth"
flag being added to "default_principal_flags" as an addition to the
default flags.
If I create principals using a krb5-1.6.3 or krb5-1.7.1 kadmin
client *and* specify the -randkey argument, the principal is created
without the +preauth flag being set. The +preauth is set only when
I use a krb5-1.8.3 kadmin client with -randkey.
This is demonstrated in the following terminal session:
Script started on Tue Nov 16 16:15:19 2010
ancho.bath.ac.uk ?// krb5-config --all
Version: Kerberos 5 release 1.6.3
Vendor: Massachusetts Institute of Technology
Prefix: /kerberosV
Exec_prefix: /kerberosV
ancho.bath.ac.uk ?// kadmin
Authenticating as principal ccsdhd/admin at BATH.AC.UK with password.
Password for ccsdhd/admin at BATH.AC.UK:
kadmin: addprinc bungle1
WARNING: no policy specified for bungle1 at BATH.AC.UK; defaulting to no policy
Enter password for principal "bungle1 at BATH.AC.UK":
Re-enter password for principal "bungle1 at BATH.AC.UK":
Principal "bungle1 at BATH.AC.UK" created.
kadmin: getprinc bungle1
Principal: bungle1 at BATH.AC.UK
Expiration date: [never]
Last password change: Tue Nov 16 16:16:19 GMT 2010
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Nov 16 16:16:19 GMT 2010 (ccsdhd/admin at BATH.AC.UK)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 6
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 1, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with CRC-32, Version 4
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
kadmin: addprinc -randkey bungle2
WARNING: no policy specified for bungle2 at BATH.AC.UK; defaulting to no policy
Principal "bungle2 at BATH.AC.UK" created.
kadmin: getprinc bungle2
Principal: bungle2 at BATH.AC.UK
Expiration date: [never]
Last password change: Tue Nov 16 16:16:56 GMT 2010
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Nov 16 16:16:56 GMT 2010 (ccsdhd/admin at BATH.AC.UK)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 5
Key: vno 2, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 2, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 2, ArcFour with HMAC/md5, no salt
Key: vno 2, DES cbc mode with CRC-32, no salt
Attributes:
Policy: [none]
kadmin: quit
ancho.bath.ac.uk ?// krb5-config --all
Version: Kerberos 5 release 1.7.1
Vendor: Massachusetts Institute of Technology
Prefix: /kerberosV
Exec_prefix: /kerberosV
ancho.bath.ac.uk ?// kadmin
Authenticating as principal ccsdhd/admin at BATH.AC.UK with password.
Password for ccsdhd/admin at BATH.AC.UK:
kadmin: addprinc bungle3
WARNING: no policy specified for bungle3 at BATH.AC.UK; defaulting to no policy
Enter password for principal "bungle3 at BATH.AC.UK":
Re-enter password for principal "bungle3 at BATH.AC.UK":
Principal "bungle3 at BATH.AC.UK" created.
kadmin: getprinc bungle3
Principal: bungle3 at BATH.AC.UK
Expiration date: [never]
Last password change: Tue Nov 16 16:17:44 GMT 2010
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Nov 16 16:17:45 GMT 2010 (ccsdhd/admin at BATH.AC.UK)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 6
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 1, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with CRC-32, Version 4
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
kadmin: addprinc -randkey bungle4
WARNING: no policy specified for bungle4 at BATH.AC.UK; defaulting to no policy
Principal "bungle4 at BATH.AC.UK" created.
kadmin: getprinc bungle4
Principal: bungle4 at BATH.AC.UK
Expiration date: [never]
Last password change: Tue Nov 16 16:18:21 GMT 2010
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Nov 16 16:18:21 GMT 2010 (ccsdhd/admin at BATH.AC.UK)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 5
Key: vno 2, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 2, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 2, ArcFour with HMAC/md5, no salt
Key: vno 2, DES cbc mode with CRC-32, no salt
MKey: vno 1
Attributes:
Policy: [none]
kadmin: quit
ancho.bath.ac.uk ?// krb5-config --all
Version: Kerberos 5 release 1.8.3
Vendor: Massachusetts Institute of Technology
Prefix: /kerberosV
Exec_prefix: /kerberosV
ancho.bath.ac.uk ?// kadmin
Authenticating as principal ccsdhd/admin at BATH.AC.UK with password.
Password for ccsdhd/admin at BATH.AC.UK:
kadmin: addprinc bungle5
WARNING: no policy specified for bungle5 at BATH.AC.UK; defaulting to no policy
Enter password for principal "bungle5 at BATH.AC.UK":
Re-enter password for principal "bungle5 at BATH.AC.UK":
Principal "bungle5 at BATH.AC.UK" created.
kadmin: getprinc bungle5
Principal: bungle5 at BATH.AC.UK
Expiration date: [never]
Last password change: Tue Nov 16 16:19:12 GMT 2010
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Nov 16 16:19:12 GMT 2010 (ccsdhd/admin at BATH.AC.UK)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 6
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 1, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with CRC-32, Version 4
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
kadmin: addprinc -randkey bungle6
WARNING: no policy specified for bungle6 at BATH.AC.UK; defaulting to no policy
Principal "bungle6 at BATH.AC.UK" created.
kadmin: getprinc bungle6
Principal: bungle6 at BATH.AC.UK
Expiration date: [never]
Last password change: Tue Nov 16 16:19:36 GMT 2010
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Nov 16 16:19:36 GMT 2010 (ccsdhd/admin at BATH.AC.UK)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 5
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 1, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
kadmin: quit
ancho.bath.ac.uk ?// exit
Script done on Tue Nov 16 16:19:50 2010
>How-To-Repeat:
See above.
>Fix:
Not known.
More information about the krb5-bugs
mailing list